In-person + Virtual
October 24-28
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Daylight Time (UTC -4). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
Back To Schedule
Thursday, October 27 • 4:30pm - 5:05pm
Trust But Verify: Bringing Supply Chain Integrity To CD GitOps - Yuji Watanabe & Hirokuni Kitahara, IBM Research

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Using GitOps automation to deliver Kubernetes cloud native applications allows management of infrastructure in the same way you manage application code, but lacks the supply chain controls needed to ensure integrity and tamper-proof deployments. Whilst application source dependencies have quickly benefited from SBOMs, transparency logs, and cryptographic signatures, delivery side automation has not participated in the end to end integrity guarantees. Using CD Gitops, Kubernetes manifests are composed from multiple source assets, across several locations, each having their own potential sources of malicious or accidental tampering. Template based mutations occur throughout continuous deployment and prohibit typical signing and verification methods. This talk describes how a properly instrumented CD GitOps process can be extended to provide verification of source assets with cluster enforcement of signatures and policy permissions. By combining keyless signing via Sigstore and intersecting control points throughout GitOps, accurate cryptographic signing of source assets can be obtained and transparency of configuration provenance produced. Finally using an admission controller such as integrity shield, cluster enforcement validates pipeline integrity.

avatar for Yuji Watanabe

Yuji Watanabe

Senior Technical Staff Member, IBM Research
Yuji Watanabe is a Senior Technical Staff member at IBM Research that lives in Tokyo, Japan. He leads a research team on cloud native security and has been delivering new integrity monitoring and enforcement technology to the open-source community and products. His current focus is... Read More →
avatar for Hirokuni Kitahara

Hirokuni Kitahara

Researcher, IBM Research
Hirokuni Kitahara is a Research Scientist at IBM Research that lives in Tokyo, Japan. His current focus is on software supply chain integrity for cloud native applications and has been delivering integrity assurance technology on CI/CD to open-source communities and products. He contributes... Read More →

Thursday October 27, 2022 4:30pm - 5:05pm EDT
Ambassador Ballroom (Room 360)